b"              U.S. Department of Energy\n              Office of Inspector General\n              Office of Audit Operations\n\n\n\n\n  Evaluation Report\n\nThe Department's Unclassified Cyber\nSecurity Program - 2004\n\n\n\n\nDOE/IG-0662                    SEPTEMBER 2004\n\x0c\x0c\x0cEVALUATION REPORT ON THE DEPARTMENT'S\nUNCLASSIFIED CYBER SECURITY PROGRAM - 2004\n\n\nTABLE OF\nCONTENTS\n\n\n                Cyber Security Program\n\n                Details of Finding ...................................................1\n\n                Recommendations and Comments ........................7\n\n                Appendices\n\n                1. Objective, Scope, and Methodology..................8\n\n                2. Related Reports ...............................................10\n\x0cCYBER SECURITY PROGRAM\n\n\nProgram        Our evaluation established that the Department of Energy\nImprovements   (Department) had taken steps to strengthen its cyber security\n               program and implemented countermeasures to reduce network\n               vulnerabilities addressed in our Evaluation of the Department's\n               Unclassified Cyber Security Program-2003 (DOE/IG-0620,\n               September 2003). Specifically, the Chief Information Officer\n               (CIO) has issued several policies that, if effectively implemented,\n               should improve cyber security throughout the Department.\n               Additionally, the Deputy Secretary initiated a campaign to\n               complete certification and accreditation of the Department's major\n               applications and general support systems. The Department also\n               acted to improve its reporting of cyber security incidents. Finally,\n               the number of cyber security weaknesses we identified during our\n               evaluation continued to decline, from a high of 69 in 2002 to 32 in\n               FY 2004.\n\n                                     Cyber Security Policies\n\n               During the period under evaluation, the CIO issued several policies\n               to address previously reported weaknesses. These policies were\n               designed to improve the Department's security posture and\n               included requirements for:\n\n                  \xe2\x80\xa2   Use of wireless devices and information systems, such as\n                      personal digital assistants and cellular phones;\n                  \xe2\x80\xa2   Certification and accreditation of all major applications and\n                      general support systems to ensure data and information\n                      systems are appropriately secure and operating at an\n                      acceptable level of risk;\n                  \xe2\x80\xa2   Remote access to Department and contractor information\n                      systems; and,\n                  \xe2\x80\xa2   Implementation of a risk-based approach to managing\n                      cyber security and the mandatory use of the National\n                      Institute of Science and Technology (NIST) methodology\n                      for evaluating computer security.\n\n                            Focus on Certification and Accreditation\n\n               During FY 2004, the Deputy Secretary initiated a campaign to\n               conduct certification and accreditation (C&A) on all of the\n               Department's major applications and general support systems.\n               C&A enables program officials or system owners to, among other\n               things, develop policies and procedures to address high-risk issues\n               through cost-effective mitigation strategies. The Office of the\n\n\n\nPage 1                                                       Details of Finding\n\x0c                  Chief Information Officer (OCIO) took the lead on the C&A\n                  initiative and required program offices to certify and accredit 90\n                  percent or more of their systems by June 30, 2004. To accomplish\n                  this objective, the OCIO established milestones and issued several\n                  data calls to the program offices. The OCIO required the programs\n                  to submit accreditation statements to support the successful\n                  completion of C&A for their systems.\n\n                             Incident Prevention, Warning, and Response\n\n                  The Department had also made progress in improving its incident\n                  reporting problems outlined in our report on the Implementation of\n                  Indications, Warning, Analysis and Reporting Capability\n                  (DOE/IG-0631, December 2003). In response to the report's\n                  recommendations, the Department finalized its inventory of sites\n                  that should be reporting cyber security incidents and now requires\n                  monthly reporting from all components. Additionally, the\n                  Department issued interim policy that includes requirements for\n                  negative reporting. The interim policy also requires Departmental\n                  elements to certify monthly, in writing, that all reportable incidents\n                  that occurred during the previous calendar month had been\n                  reported to management. The incident reporting policy is in the\n                  final stages of review and the Department expects it to be issued in\n                  late September or early October 2004.\n\n                  While these actions are positive, the Department needs to update\n                  security plans to address cyber security incident reporting,\n                  establish performance goals to fully satisfy FISMA requirements,\n                  and to complete actions on our earlier recommendations. These\n                  activities, when finalized, should help to ensure that the\n                  Department provides timely notices regarding cyber attacks.\n\nRisk Management   Although the Department continued to make improvements to its\nand Control       cyber security program during the last year, we noted that additional\nProcedures        work is needed to ensure that a comprehensive risk management\n                  program is completed. The risk management process provides the\n                  framework for managing threats to agency operations, assets, and\n                  employees resulting from the operation of an information system.\n                  Specifically, the Department has not completed necessary action in\n                  the C&A and contingency planning areas. Additionally, the\n                  Department continued to experience cyber security control\n                  problems in the areas of access controls, segregation of duties, and\n                  configuration management.\n\n\n\n\nPage 2                                                          Details of Finding\n\x0c                           Certification and Accreditation\n\n         In spite of the Department's campaign, at the time of our review 4\n         of the 25 sites we evaluated had not completed C&A on all of its\n         major and general support systems. While program officials\n         currently report that work has been completed for over 90 percent\n         of the Department's systems, we noted that some of the systems\n         were operating under interim approval because they had not\n         satisfied all C&A requirements. Additionally, the Government\n         Accountability Office's (GAO) recent review of the Department\xe2\x80\x99s\n         C&A process noted difficulties in determining the risks accepted\n         by authorizing officials in the accreditation decision or the length\n         of time the accreditation was in effect.\n\n         In a recent discussion regarding our draft report, we learned that\n         the OCIO had initiated steps to validate the C&A process and had\n         completed validation reviews of several packages for systems\n         operating at Headquarters. The CIO also told us that she had asked\n         program offices to provide copies of all system accreditation\n         letters, including both interim and final authorities to operate, to\n         her office. The CIO stated that these validation reviews, which\n         included a review of accreditation letters, identified problems in\n         the C&A process. The responsible program offices have been\n         directed by the Deputy Secretary to correct those problems.\n\n                                Contingency Planning\n\n         Five of the 25 sites included in our review had also not taken\n         adequate action to ensure that they could maintain or resume\n         critical operations in the event of emergency or disaster.\n         Specifically, the Department had not developed contingency or\n         disaster recovery plans for financial systems at two sites or tested\n         existing contingency plans at another three sites. For example, we\n         found one contingency plan for a financial application that did not\n         contain documented procedures for testing the plan. Specifically,\n         the contingency plan did not include important areas of test\n         planning, test results, and corrective actions, key steps needed to\n         identify flaws in the plan and its implementation. Additionally, we\n         found that another contingency plan was in development, however,\n         it was missing a risk assessment and had not been finalized.\n\n\n\n\nPage 3                                                 Details of Finding\n\x0c                               Access Controls\n\n         The Department continues to experience access control\n         weaknesses across the complex. Strong and functional access\n         controls are essential for ensuring that only authorized individuals\n         have access to information resources. Access controls consist of\n         both physical and logical controls designed to protect computer\n         resources from unauthorized modification, loss, or disclosure. We\n         found that 7 out of 25 sites reviewed during our evaluation had\n         cyber security weaknesses related to networks, systems, or\n         applications, including:\n\n            \xe2\x80\xa2   Passwords did not always comply with Departmental\n                policy. For example, vendor default passwords were not\n                changed in two instances. Since vendor default passwords\n                are widely known, malicious individuals could exploit them\n                to gain access to sensitive information;\n            \xe2\x80\xa2   Excessive system administrator access privileges were\n                granted at two sites, including an instance where temporary\n                administrator access had not been revoked. These\n                privileges, if exploited, could permit unauthorized or\n                malicious modifications to systems or information;\n            \xe2\x80\xa2   Documented procedures were not in place at two sites to\n                ensure that account access was removed in a timely manner\n                when employees were terminated;\n            \xe2\x80\xa2   Periodic reviews to determine whether unauthorized use\n                had occurred were not conducted at two sites; and,\n            \xe2\x80\xa2   One site granted network access to certain students and\n                visitors without performing mandatory background checks.\n\n         We also found instances of physical access deficiencies at two\n         sites' primary data centers, including unlocked doors, unsecured\n         media, access by non-data center employees, and audit logs that\n         were not regularly reviewed.\n\n                                Segregation of Duties\n\n         Our review disclosed several instances of inadequate segregation\n         of duties. Such controls are important because they inhibit\n         fraudulent activities by controlling personnel activities through\n         formal operating procedures, supervision, and review.\n         Specifically, we found:\n\n            \xe2\x80\xa2   An employee in a financial systems group had the ability to\n                enter invoices and then authorize them for payment, a\n\n\n\nPage 4                                                  Details of Finding\n\x0c                        practice that if exploited, could result in erroneous,\n                        unauthorized or fraudulent transactions;\n                    \xe2\x80\xa2   Eight employees who could establish employee records and\n                        create payroll records for the same individuals, increasing\n                        the chance that an individual could establish and pay non-\n                        existent employees; and,\n                    \xe2\x80\xa2   Computer programmers who could make system program\n                        changes and place them into the production environment,\n                        thus increasing the risk that individuals may create, and put\n                        into production, improper, unauthorized, or malicious\n                        program modifications.\n\n                                        Configuration Management\n\n                 Our testing also revealed configuration management weaknesses at\n                 five sites we visited. Essential to a coordinated and strong security\n                 policy, configuration management controls help to ensure that\n                 computer applications and systems are controlled and protected\n                 against unauthorized modifications. While the Department\n                 corrected several problems that were reported last year, we found\n                 similar problems this year at different sites. For example, we\n                 noted:\n\n                    \xe2\x80\xa2   Despite the availability of vendor supplied updates, known\n                        software security vulnerabilities had not been corrected;\n                    \xe2\x80\xa2   Ineffective planning, testing, and follow-up that caused\n                        security patches designed to prevent known computer\n                        viruses and exploits to fail when deployed; and,\n                    \xe2\x80\xa2   Undocumented procedures for system changes that could\n                        potentially result in inconsistently applied processes and\n                        lead to compromise of the system.\n\nCorrecting and   Weaknesses persisted because the Department has not ensured that\nIdentifying      organizations properly identified, tracked, and corrected previously\nWeaknesses       identified cyber security weaknesses. Despite outreach efforts and\n                 the publication of detailed guidance by the Department's OCIO, we\n                 also noted that site level information technology (IT) professionals\n                 were not always cognizant of the Department's cyber related\n                 policies.\n\n                                    Plan of Action and Milestones\n\n                 In spite of prior year recommendations, the Department did not\n                 always maintain and update its Plan of Action and Milestones\n                 (POAM) database and establish it as the authoritative management\n                 tool to identify and track agency actions for correcting cyber\n\n\nPage 5                                                         Details of Finding\n\x0c              security weaknesses. While the Department had made some\n              progress in improving the accuracy of its POAM database since\n              our last evaluation, our review found that 9 of 47 uncorrected\n              cyber security weaknesses reported during our FY 2003 evaluation\n              were not included in the Department's quarterly reports to the\n              Office of Management and Budget (OMB). Additionally, 6 of 7\n              findings re-issued in FY 2004 were marked as closed or completed\n              in the POAM database, but had not actually been corrected. Even\n              though specifically noted in our previous evaluation, the\n              Department continued its practice of permitting sites to close\n              findings without providing supporting evidence or verifying that\n              the weakness had actually been corrected.\n\n              To address this issue, the OCIO recently issued guidance to the\n              program offices to ensure the verification that cyber security\n              weaknesses are corrected prior to closing them. In particular, the\n              OCIO now requires that the validation of closed findings be\n              performed by someone other than the individual directly\n              responsible for the correction of the weakness.\n\n                                 Cyber Security Awareness\n\n              The Department's efforts to promote the benefits of a robust cyber\n              security program may not always be reaching the local levels of IT\n              professionals across the Department. The OCIO has initiated a\n              number of efforts to increase awareness of necessary cyber\n              security controls, including issuing Departmental policy and\n              guidance, hosting an annual cyber security conference, and\n              providing training to IT professionals. However, we found that, in\n              some cases, local IT professionals did not fully understand the\n              Department's policy and guidance. For example, local officials did\n              not understand requirements for C&A and password management.\n\nOperational   Even though the Department's overall cyber security posture has\nImpacts       improved, a number of unclassified information systems and\n              networks remain vulnerable to attack. Failure to place proper\n              emphasis on correcting identified weaknesses unnecessarily\n              exposes critical information resources to threat of compromise.\n              For example, the Department's systems and networks were recently\n              the subject of a series of successful attacks where an external party\n              gained broad access to multiple systems on several occasions. In\n              addition, the Department reported that it was the subject of 199\n              successful intrusions during FY 2004.\n\n\n\n\nPage 6                                                      Details of Finding\n\x0c                  As previously discussed, Government organizations face an\n                  increasing threat of intrusion or damage to their IT systems.\n                  Accordingly, the Department needs to ensure it has implemented\n                  an aggressive program of risk management and security controls to\n                  mitigate such risks.\n\nRECOMMENDATIONS   This report identified a number of weaknesses that need to be\n                  addressed by the Chief Information Officer, in coordination with\n                  the National Nuclear Security Administration and Program\n                  Secretarial Officers. Additionally, the Department should:\n\n                     1. Ensure program elements use the POAM as a management\n                        tool for cyber security by:\n\n                            a. Entering and tracking the status of corrective actions\n                               taken to close all known cyber security weaknesses;\n                               and,\n                            b. Verifying the effectiveness of corrective actions\n                               before closing identified weaknesses.\n\n                     2. Require organizations to establish a mechanism to ensure\n                        that the Department's information technology policy and\n                        guidance are communicated and understood by cognizant\n                        cyber security officials; and,\n\n                     3. Ensure that all major applications and general support\n                        systems are certified and accredited.\n\nMANAGEMENT        Management generally concurred with our findings and\nREACTION          recommendations. The CIO stated that C&A data was still\n                  being collected and they have initiated a process to independently\n                  verify and validate the C&A process. Based on an agreed-upon\n                  protocol, management provided informal comments to our report.\n                  Such comments were discussed with the CIO and her staff on\n                  September 15, 2004, and, where appropriate, have been\n                  incorporated into our report.\n\nAUDITOR           Management's proposed actions are responsive to our\nCOMMENTS          recommendations.\n\n\n\n\nPage 7                                        Recommendations and Comments\n\x0cAppendix 1\n______________________________________________________________________\n\nOBJECTIVE            To determine whether the Department's unclassified cyber security\n                     program adequately protected data and information systems.\n\nSCOPE                The audit was performed between February and September 2004,\n                     at several Department locations. Specifically, we performed an\n                     assessment of the Department's unclassified cyber security\n                     program. The evaluation included a limited review of general and\n                     application controls in areas such as entity-wide security planning\n                     and management, access controls, application software\n                     development and change controls, and service continuity. Our\n                     work did not include a determination of whether vulnerabilities\n                     found were actually exploited and used to circumvent existing\n                     controls. The Office of Independent Oversight and Performance\n                     Assurance (OA) performed a separate review of classified and\n                     national security information systems.\n\nMETHODOLOGY          To accomplish the objective, we:\n                        \xe2\x80\xa2   Reviewed applicable laws and directives pertaining to\n                            cyber security and information technology resources, such\n                            as FISMA, OMB Circular A-130 (Appendix III), and DOE\n                            Order 205.1;\n\n                        \xe2\x80\xa2   Reviewed applicable standards and guidance issued by\n                            NIST;\n\n                        \xe2\x80\xa2   Reviewed the Department's overall cyber security program\n                            management, policies, procedures, and practices throughout\n                            the organization;\n\n                        \xe2\x80\xa2   Assessed controls over network operations to determine the\n                            effectiveness related to safeguarding information resources\n                            from unauthorized internal and external sources;\n\n                        \xe2\x80\xa2   Evaluated selected Headquarters offices and field sites in\n                            conjunction with the annual audit of the Department's\n                            Consolidated Financial Statements, utilizing work\n                            performed by KPMG LLP, the Office of Inspector\n                            General\xe2\x80\x99s (OIG) contract auditor. KPMG work included\n                            analysis and testing of general and application controls for\n                            systems as well as vulnerability and penetration testing of\n                            networks; and,\n\n\n\n\nPage 8                                           Objective, Scope, and Methodology\n\x0cAppendix 1\n______________________________________________________________________\n                        \xe2\x80\xa2   Evaluated and incorporated the results of other audits,\n                            evaluations, and inspections performed by the Department's\n                            OIG, OA, and the GAO in our report.\n\n                     We evaluated the Department's implementation of the Government\n                     Performance and Results Act related to the establishment of\n                     performance measures for unclassified cyber security. We did not\n                     rely solely on computer-processed data to satisfy our objectives.\n                     However, computer-assisted audit tools were used to perform\n                     probes of various networks and devices. We validated the results\n                     of the scans by confirming the weaknesses disclosed with\n                     responsible on-site personnel and performed other procedures to\n                     satisfy ourselves as to the reliability and competence of the data\n                     produced by the tests.\n\n                     The evaluation was conducted in accordance with generally\n                     accepted Government auditing standards for performance audits\n                     and included tests of internal controls and compliance with laws\n                     and regulations to the extent necessary to satisfy our objective.\n                     Accordingly, we assessed internal controls regarding the\n                     development and implementation of automated systems. Because\n                     our review was limited, it would not necessarily have disclosed all\n                     internal control deficiencies that may have existed at the time of\n                     our evaluation.\n\n                     An exit conference was held with OCIO officials on September 15,\n                     2004.\n\n\n\n\nPage 9                                           Objective, Scope, and Methodology\n\x0cAppendix 2\n______________________________________________________________________\n\n                                     RELATED REPORTS\n\n\n\n    \xe2\x80\xa2     Implementation of Indications, Warning, Analysis and Report Capability\n          (DOE/IG-0631, December 2003). The report found that the Department had not\n          developed and implemented a program to monitor security incident reporting\n          and had not established performance goals to measure the success of policy\n          implementation. While the Department implemented policy changes in response\n          to our previous audit, they were not completely effective and did not\n          substantially increase reporting. The Department lacked focus and quantifiable\n          performance measures to guide day-to-day operations relating to cyber security\n          incident reporting.\n\n    \xe2\x80\xa2     Management Challenges at the Department of Energy (DOE/IG-0626,\n          November 2003). The Department's OCIO is developing corrective actions to\n          mitigate cyber security risks and to improve relevant controls. For instance, the\n          Department is finalizing detailed cyber security policy and guidance, and in\n          June 2003 provided guidance for cyber security performance measurements.\n          Additionally, the Department recently issued DOE Order 205.1, Department of\n          Energy Cyber Management Program, which requires that continuity of\n          operations, configuration management, and incident reporting procedures be\n          developed and maintained in Program Cyber Security Plans and site Cyber\n          Security Program Plans.\n\n    \xe2\x80\xa2     Evaluation of the Department's Unclassified Cyber Security Program-2003\n          (DOE/IG-0620, September 2003). Our evaluation found that cyber security\n          weaknesses persisted because management had not taken sufficient action to\n          ensure that all previously identified cyber security weaknesses were properly\n          identified, tracked, and corrected in a timely manner. The Department also had\n          not established program-level performance metrics to guide cyber security\n          program execution or evaluate performance. Despite OMB requirements, the\n          Department had not always maintained and updated its POAM. Specifically,\n          our examination revealed that 22 of 30 uncorrected cyber security weaknesses\n          reported during our 2002 evaluation were not included in the Department's\n          quarterly reports to OMB.\n\n    \xe2\x80\xa2     Inspection of Portable Electronic Device Information Security at Selected Sites\n          (S03IS024, September 2003). This Management Alert concerned security\n          issues regarding the use of portable digital assistants in the Department of\n          Energy complex.\n\n    \xe2\x80\xa2     Information Security: Continued Action Needed to Improve Software Patch\n          Management (GAO-04-706, June 2004). This audit identified, among other\n          things, challenges to performing patch management and additional steps that\n\n\nPage 10                                                                         Related Reports\n\x0cAppendix 2\n______________________________________________________________________\n       can be taken to mitigate the risks created by software vulnerabilities. GAO\n       found that agencies, including the Department, are not consistently performing\n       risk assessments and testing all patches before deployment. However, GAO\n       reported that agencies face several challenges to implementing effective patch\n       management, including timeliness of patches, ensuring mobile systems receive\n       the latest patches, and adequate resources.\n\n    \xe2\x80\xa2     Information Security: Agencies Need to Implement Consistent Processes in\n          Authorizing Systems for Operation (GAO-04-376, June 2004). GAO found that\n          agencies, including the Department, are not consistently reporting C&A\n          performance data. Additionally, GAO found that there are other factors that\n          lessen the usefulness of the reported performance data, including the limited\n          assurance of data reliability and quality and the need to refine reporting\n          requirements to provide better information on the status of agencies' information\n          security efforts. Further, when reviewing C&A packages from the Department,\n          GAO found varying degrees of comprehensiveness and instances where\n          required steps were incomplete, such as missing and/or untested contingency\n          plans, an outdated security plan, and missing risk assessments.\n\n    \xe2\x80\xa2     Information Technology Management: Government-wide Strategic Planning,\n          Performance Measurement, and Investment Management Can be Further\n          Improved (GAO-04-49, January 2004). The report states that Federal agencies\n          did not always have in place important practices associated with information\n          laws, policies, and guidance. There were also numerous instances of individual\n          agencies that did not have specific IT strategic planning, performance\n          measurement, or investment management practices fully in place. Agencies\n          cited a variety of reasons for not having these practices in place, such as that the\n          CIO position had been vacant, that not including a requirement in guidance was\n          an oversight, or that the process was being revised.\n\n    \xe2\x80\xa2     Volume II, Independent Oversight Cyber Security Inspection of the Y-12 Site\n          Office and Y-12 National Security Complex (January 2004).\n\n    \xe2\x80\xa2     Volume II, Independent Oversight Cyber Security Inspection of the Sandia\n          National Laboratories (November 2003).\n\n    \xe2\x80\xa2     Independent Oversight Cyber Security Inspection of the Thomas Jefferson\n          National Accelerator Facility (July 2004).\n\n\n\n\nPage 11                                                                            Related Reports\n\x0c\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n                                        http://www.ig.doe.gov\n\n       Your comments would be appreciated and can be provided on the Customer Response Form\n                                      attached to the report.\n\x0c"